From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.kernel.org ([198.145.29.99]:59684 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753495AbeERIVK (ORCPT ); Fri, 18 May 2018 04:21:10 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+141d898c5f24489db4aa@syzkaller.appspotmail.com, Xin Long , Neil Horman , Marcelo Ricardo Leitner , "David S. Miller" Subject: [PATCH 4.14 25/45] sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg Date: Fri, 18 May 2018 10:15:42 +0200 Message-Id: <20180518081531.619661054@linuxfoundation.org> In-Reply-To: <20180518081530.331586165@linuxfoundation.org> References: <20180518081530.331586165@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: stable-owner@vger.kernel.org List-ID: 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Xin Long [ Upstream commit 6910e25de2257e2c82c7a2d126e3463cd8e50810 ] In Commit 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too"), it held the chunk in sctp_ulpevent_make_rcvmsg to access it safely later in recvmsg. However, it also added sctp_chunk_put in fail_mark err path, which is only triggered before holding the chunk. syzbot reported a use-after-free crash happened on this err path, where it shouldn't call sctp_chunk_put. This patch simply removes this call. Fixes: 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too") Reported-by: syzbot+141d898c5f24489db4aa@syzkaller.appspotmail.com Signed-off-by: Xin Long Acked-by: Neil Horman Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/ulpevent.c | 1 - 1 file changed, 1 deletion(-) --- a/net/sctp/ulpevent.c +++ b/net/sctp/ulpevent.c @@ -717,7 +717,6 @@ struct sctp_ulpevent *sctp_ulpevent_make return event; fail_mark: - sctp_chunk_put(chunk); kfree_skb(skb); fail: return NULL;